Comparison between mpls vpn and IPSec VPN)

Summary

The VPN of China Telecom is mpls vpn, which is a IP-VPN Based on MPLS (Multiprotocol Label switc Hing, Multi-Protocol Label Switching) technology, it simplifies the routing selection method of the core router, and uses the IP Virtual Private Network (ip vpn) implemented by TAG exchange based on the traditional routing technology to construct the broadband Intranet and exnetworks, to meet a variety of flexible business needs.

The VPN of China Telecom is mpls vpn, which is a IP-VPN Based on MPLS (Multiprotocol Label switc Hing, Multi-Protocol Label Switching) technology, it simplifies the routing selection method of the core router, and uses the IP Virtual Private Network (ip vpn) implemented by TAG exchange based on the traditional routing technology to construct the broadband Intranet and exnetworks, to meet a variety of flexible business needs.

Mpls vpn has its advantages, but also has great disadvantages. Next we will compare mpls vpn and IPSec VPN from several aspects.

I. System Reliability

Mpls vpn is a data service built on a telecom network .,

IPSec VPN is completely built based on the Internet, so its reliability depends on two aspects: the reliability of the line and the stability of the device.

From the perspective of equipment reliability, IPSec is the mainstream VPN protocol, and its technology is relatively complete. Currently, IPSec-based VPN technology is mature, and many products are stable and reliable.

At present, Internet access has become very popular. Due to the long-term investment in construction, the entire Internet line has reached a high level, which not only guarantees bandwidth, but also provides diverse access methods. If an error occurs on a line, you can use other backup lines to access the Internet. MPLS relies on a single telecom operator. If the operator's network goes wrong, the entire network is suspended. The ipset system has a strong fault tolerance capability because it can back up other lines that can be used at any time. This cannot be achieved through MPLS links.

Ii. Investment Costs

From the investment cost analysis, MPLS can save the equipment investment, but in most cases, users still need to buy devices such as routers.

In addition, the long-term rental of MPLS is not a small quantity. If it is an international link, it will be more expensive.

IPSec VPN is used to use the original public network line. However, one-time device investment is relatively large. However, in the long run, after the fee is apportioned, the fee is actually much lower than that of mpls vpn.

Iii. Ease of access

Mpls vpn connection is relatively simple. You only need to connect the customer device (CE) to the network edge device (PE) of the carrier, the operator is responsible for layer-2 data transmission and layer-3 routing at the same time. This layer-3 mpls vpn has low requirements for customers and is less costly to customers, however, the common problem with this approach is the lack of flexibility in access. Because mpls vpn is provided by a single carrier, cross-carrier connections often have major problems. For example, the MPLS service provided by China Unicom and the MPLS service provided by China Telecom are hard to connect to each other. Large customers often have their own branches all over the country. It is unrealistic to expect that all of these branches have the same carrier in the city and provide mpls vpn services, especially in remote areas and mobile users. MPLS is regional. Currently, MPLS services are not available in many regions.

IPSec VPN fully utilizes the Internet. As long as you access the Internet, you can use IPsec VPN to build your own network. With the implementation of China Telecom's "last mile" technology, the Internet is truly everywhere. By using Internet resources and using IPSec VPN technology, you can easily establish an enterprise's virtual private network around the world.

With the continuous development of business, more and more mobile users and Home Office users are available, and the support of VPN clients is also very important, using an IPsec client allows mobile users to exchange information with the enterprise anytime, anywhere. This mpls vpn is obviously not feasible. For users with a large number of points, it is particularly widely distributed. for users, both time and capital investment are unacceptable.

Iv. Security

Mpls vpn provides protection against attacks and tag spoofing by means of Route isolation and address isolation. Therefore, it is believed that mpls vpn can provide line security assurance similar to Fr/ATM.

However, mpls vpn does not solve the common security problems of unauthorized access to protected network elements, misconfigurations, and internal (including core) attacks in all managed shared networks. For example, when data is transmitted in mpls vpn, it only marks the endpoint route and does not provide encryption protection for the data itself. Therefore, mpls vpn is generally secure.

The notable characteristic of IPSec VPN is its security, which is the foundation of its internal data security. To securely transmit data over the Internet, IPSec VPN uses symmetric keys, asymmetric keys, and abstractAlgorithmMultiple encryption algorithms, including identity authentication, data encryption, and data integrity verification, ensure access security and data privacy.

5. manageability

Because the mpls vpn communication relationship is specified by the carrier, the user configuration is not flexible. At the same time, because the operator's network is often composed of multiple device manufacturers, it is very difficult for the operator to manage VPN devices.

IPSec VPN implements the "centralized authentication, unified monitoring, and hierarchical management" management mode for the entire VPN network through technical means such as digital certificates, which not only fully guarantees the security of the entire network, this effectively reduces the burden on network administrators and enables zero device management for branches with weak technical strength ". At the same time, the communication between different VPN devices can be controlled through technical means, fully reflecting the manageability of the VPN network. IPsec can firmly put the network in its own hands, and can remotely control the entire network through the central contacts.

Finally, we can list a table that compares MPLS and IPSec VPN technologies.

Mplsipsec (over Internet) Remarks

The access method is that the ISP links to the user in any way connected to the Internet, including residential broadband, mobile Internet access, ADSL, Telephone Dialing, etc. Obviously, the latter is more convenient to access.

The cost-per-investment ratio is low, the long-term investment is relatively high, and the long-term investment is very low. It basically runs on the original Internet connection line of the enterprise and does not require additional access.

Stability and stability are high, but there are basically no backup lines. Stability depends on the access link, but multiple access methods can be backed up.

Security encryption relies on the operator's network isolation IPSec itself powerful security features ipset VPN tunnel better

Mobile client support is difficult to support

Operation Management Mode: the telecom or ISP provides service customers with independent management and maintenance, and is completely isolated from the outside.

The applicability is regional, and operators establish MPLS networks respectively. Use the Internet.

from: http://net.zdnet.com.cn/security_zone/2011/0326/2024638.shtml

Virtual Private Network (VPN) has become a de facto standard for remote and secure access to company resources by company partners or employees. In this article, we will try to explain two specific VPN types, namely, IPSec VPN and ssl vpn, and how to choose these two types.

However, before studying the two different types, we need to give a brief overview of the VPN technology. VPN is a series of technologies that facilitate remote access to company resources. The main users of this technology are company employees who attempt to access the company's resources at home or other public places, and partners or third parties that support various systems within the company's infrastructure. VPN generally establishes an encrypted channel between the remote site and the company network to transmit data through a public long-distance IP network. These remote sites include employees' laptops or third-party systems.

Key Technologies

Currently, the two most popular VPN technologies are based on the traditional network security protocol (IPSec) VPN technology and Secure Socket Layer (SSL) VPN technology, the former is mainly applied to the network layer, the latter mainly acts on the application layer. The difference is that the underlying technologies used are different, the functions of services are different, and the potential VPN security risks are different.

IPSec was originally designed to provide point-to-point connections between remote sites and central office resources. In this case, the client can be a branch or supplier. This protocol is designed to work at a lower layer of the network stack (layer 3rd, network layer) and can be used to transmit any IP-based protocol packets, regardless of the applicationProgramThe traffic generated. With the advent of the mobile office era, IPSec has been extended, and users can remotely access it by using a dedicated VPN application (client) installed on mobile devices.

On the other hand, the design of ssl vpn takes mobile office into account. It is expected to provide a seamless and client-less remote access method. In this way, ssl vpn can be seen as an application proxy. remote users can access the company's specific resources at a certain granularity using a browser, instead of installing the client.

Strengths and weaknesses

The key advantage of IPSec is that it provides a permanent connection between sites. Working at the network layer (layer 3rd of the network stack) also makes it unrelated to the application: Any IP-based protocol can be transmitted through it. This makes IPSec an attractive alternative to expensive leased lines or dedicated lines. It can also act as a backup link, that is, when the master lease line or dedicated line connecting the remote site to the central office crashes.

However, an application-independent design in IPSec is also a weakness. Although it provides authentication, authorization, and encryption, and basically extends the company's network to any remote users, it cannot limit access to resources at a certain level of granularity. Once a tunnel is established, remote users can access any resources of the company, just as they are directly connected to the company's network. These security problems are even more serious because mobile offices need to allow unmanaged it devices such as smartphones and home computers to access company resources. The IT department has no visibility or control over these devices and does not guarantee that these devices comply with the security level typically implemented on managed devices.

In addition, more IPSec maintenance is required. In addition to devices that need to establish termination channels, additional configuration and maintenance are required to support remote user groups. When the company uses Network Address Resolution (NAT), special configurations are also required to ensure full coordination between IPsec and Nat settings.

In contrast, SSL VPNs supports remote access from the very beginning. They do not need to install any special software. Remote Access is implemented through a browser-based SSL session. SSL VPNs also provides granular access control capabilities for enterprises. Specific authentication and application access authorization schemes can be limited to a specific user group. The built-in logging and auditing capabilities can handle various compliance requirements. SSL VPNs also provides the ability to run host compliance checks on remote devices connected to the enterprise to verify that they are configured with appropriate security software and install the latest patches.

But this does not mean that SSL VPNs is a panacea for all IPSec shortcomings. When a remote site needs to establish an uninterrupted connection with the main office, ssl vpn is not a suitable solution. Application-independent IPSec supports a large number of traditional protocols and traditional customer/service applications at minimal cost. This is different from the SSL VPNs built around web applications. Many SSL VPNs solve this problem by installing a Java or ActiveX-based proxy control on a remote device. Generally, after the remote device passes the ssl vpn device verification, the related installation will be accurate, but it is worth noting that, activeX and Java both have their own security flaws, which are also a common attempt by attackers.

IPSec VPN or ssl vpn?

In an enterprise, each VPN solution has its own advantages. Ideally, because SSL and IPSec VPNs serve different purposes and have complementary advantages, they should all be used. IPSEC should be used when you need to establish uninterrupted connections with remote office locations or partners/suppliers. In this case, granular access control restrictions and missing host inspection capabilities should be added through a network access control system, which ensures that only verified remote hosts can be connected to the Enterprise. When the granularity access control capability, audit and log record, and security policy control are critical to mobile office, enterprises should primarily use SSL VPNs as the remote access solution. But remember, no matter what your VPN choice or specific needs, a VPN must be updated, tested, and tested for performance testing, it is also part of an in-depth protection strategy that leverages comprehensive strategies and various network security technologies.

from: http://www.d1net.com/security/vpn/70542.html